logo

Database

Asymmetric denial of service - ReDoS In phpseclib/phpseclib

Description

Duplicate Advisory: phpseclib does not properly limit the ASN1 OID length

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-f2qx-66wf-wvvx. This link is maintained to preserve external references.

Original Description

An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. NVD-2024-273552. GHSA-jr22-8qgm-4q873. GCVE-GHSA-jr22-8qgm-4q874. lists.debian.org5. lists.debian.org

References

1. https://github.com/phpseclib/phpseclib/commit/e32531001b4d62c66c3d824ccef54ffad835eb592. https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b3. https://github.com/FriendsOfPHP/security-advisories/blob/master/phpseclib/phpseclib/CVE-2024-27355.yaml4. https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.